A new Google-funded study of browser security by security research firm Accuvant Labs crowned Chrome the champion of security features, and ranked Firefox below Internet Explorer in terms of protection available from web-borne threats. Predictably, Microsoft and Mozilla have different opinions on what makes a browser secure, and why Accuvant's findings are off base. All of this got us thinking about which browser is the most secure, and whether the security features listed in studies like this even matter to the rest of us.

How Was the Study Performed?

Accuvant looked at three browsers for its study: Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. All three were tested and examined running in 32-bit Windows 7, and the research was wrapped up in July of 2011, so the current release versions of each browser at that time were the ones included in the report. Accuvant says they left out other browsers, like Safari and Opera, to save time, but they do plan to update their findings on the big three as more data becomes available and each development house improves on their application.

Advertisement

Accuvant's study of browser security is probably the most comprehensive performed to date, even though other browsers and OSes weren't included. The researchers will be happy to tell you that they look deeper than bug-trackers and vulnerability lists, and try to get a bit more information about what makes a browser secure or vulnerable to threats—both current and in the future. Part of that effort led the researchers to examine how each browser performed when an intruder already had access a machine with each browser installed, and how much information they could obtain.

What Did the Study Find?

Accuvant researchers determined that Google Chrome had the most new and effective security features aimed at protecting users from malicious code and scripts embedded in web pages, or automatically downloaded and executed as part of the sites they visit. They examined three major areas:

Advertisement

Sandboxing, or the method by which a browser limits access to system resources and data beyond the confines of the browser, was one area of significant difference. Researchers found Chrome was most effective of all three browsers at keeping an intruder away from private data not associated with the browser. Internet Explorer also has sandboxing features but researchers claimed intruders are given some file-reading abilities even if they are prevented from installing software. Firefox, on the other hand, is simply listed as "unimplemented or ineffective."

Just-In-Time (JIT) Hardening, which keeps the browser from compiling JavaScript that cannot be run on the user's computer, was another area where Chrome and IE were on par, but Firefox fell far behind.

Plug-In Security was another area where Chrome rose above its competition, denying running plug-ins from installing additional software and from running scripts that don't require user interaction while on a web site.

In all three areas, Chrome came out on top. The researchers tied Chrome with Internet Explorer in Sandboxing and JIT Hardening, but point out that Chrome was just a bit better in both areas. In all three areas, Firefox got the lowest marks. In other areas however, all three browsers tied, and in one area at least, URL Blacklisting, all three browsers got poor marks, although the researchers again pointed out that Chrome did better than the other two—just that none of them did blacklisting very well.

Ultimately, Accuvant's researchers gave Chrome the top spot, with Internet Explorer right behind it. They pointed to Google's ability to build Chrome from the ground up, from scratch, without having to deal with legacy code or shoehorn in older capabilities the way Microsoft and Mozilla have with Internet Explorer and Firefox. Essentially, according to the research team, Chrome is the most secure because Google was able to write it with a fresh perspective and security in mind, without baggage to bring along.

What Do Mozilla and Microsoft Say About This?

Mozilla's Director of Firefox Development, Johnathan Nightingale, responded to the study in in an article at Forbes, and said "Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We're proud of our reputation on security, and it remains a central priority for Firefox."

Advertisement

Sponsored

Similarly, Microsoft pointed to a study by NSS Labs that showed Internet Explorer dominating all of its rivals—including Firefox and Chrome—at protecting user systems from malware. However, just as the Accuvant study was sponsored and commissioned by Google, NSS Labs' studies are often paid for by Microsoft, so there's plenty of skepticism to go around.

Google and Accuvant both explained that even though they commissioned the study, they knew that if the results were in their favor, that fact would cast doubt on the merits of the result. Accuvant explained in an article at Ars Technica that Google gave them more than a wide berth to do the research, and insisted that the study be an impartial look at the state of browser security. Accuvant, for its part, has also put its reputation on the line, stating the study is representative of their company and its quality of work, and they stand behind it.

Whether Google was so open about the study being independant because they knew the testing methodology and the fact that their codebase put them at an advantage is another story, but as of now, no one's criticising Accuvant's results or methodology. The real question however, is how much should you or I care?

Does Any of This Matter? What Should I Do?

In the end, the study is important, but the real lynch-pin of browser security is—and always has been—the user behind the keyboard. Chrome may be on top now, but Microsoft and Mozilla will make changes to address as a result of the findings. Accuvant's methodology assumes your system is compromised, and also assumes that you have no other protection besides the browser's own security features to protect you, both of which aren't likely true for most users. In the interim, this study will wind up being used as cannon fodder in the browser wars, with one browser's fans firing it at another's without ever bothering to read it.

Advertisement

For the most part, browser security is a matter of user responsibility. Make sure you surf responsibly, and use SSL whenever possible. Don't accept, run, or even download anything if you're not sure what it is or why you were prompted to download a file, and only keep the extensions and add-ons running that you need on a daily basis.

Firefox users can use extensions like HTTPS Everywhere to browse securely whenever a secure session is available and on services that allow you to turn on SSL, and use an extension like NoScript to stop malicious JavaScript in its tracks. Chrome users can get similar functionality with add-ons like NotScript or ScriptNo, which do very similar things. In the end, browser security features only go so far to protect you, and as long as you take a cautious, skeptical, security focused approach to surfing, it likely won't matter which browser you use.